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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established 
by the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector 
General Act of 1978. This is one of a series of audit, inspection, and special reports prepared as 
part of our oversight responsibilities to promote economy, efficiency, and effectiveness within 
the department. 

This report presents the information technology (IT) management letter for the Federal 
Emergency Management Agency (FEMA) component of the DHS financial statement audit as of 
September 30, 2010. It contains observations and recommendations related to IT internal control 
that were summarized in the Independent Auditor's Report dated November 12, 2010 and 
presents the separate restricted distribution report mentioned in that report. The independent 
accounting firm KPMG LLP (KPMG) performed the audit procedures at the FEMA component 
in support of the DHS FY 2010 financial statements and prepared this IT management letter. 
KPMG is responsible for the attached IT management letter dated March 22, 201 1, and the 
conclusions expressed in it. We do not express opinions on DHS' financial statements or 
internal control or conclusion on compliance with laws and regulations. 

The recommendations herein have been developed to the best knowledge available to our office, 
and have been discussed in draft with those responsible for implementation. We trust that this 
report will result in more effective, efficient, and economical operations. We express our 
appreciation to all of those who contributed to the preparation of this report. 




FranxDeffer 
Assistant Inspector General 
Information Technology Audits 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036-3389 



March 22, 2011 
Inspector General 

U.S. Department of Homeland Security 

Chief Information Officer and 

Chief Financial Officer 

Federal Emergency Management Agency 

Ladies and Gentlemen: 

We were engaged to audit the balance sheet of the U.S. Department of Homeland Security (DHS or 
Department), as of September 30, 2010 and the related statement of custodial activity for the year 
then ended (herein after referred to as "financial statements"). We were also engaged to examine 
the Department's internal control over financial reporting of the balance sheet as of September 30, 
2010 and the statement of custodial activity for the year then ended. We were not engaged to audit 
the statements of net cost, changes in net position, and budgetary resources as of September 30, 
2010 (hereinafter referred to as "other fiscal year (FY) 2010 financial statements"), or to examine 
internal control over financial reporting over the other FY 2010 financial statements. 

Because of matters discussed in our Independent Auditors' Report, dated November 12, 2010, the 
scope of our work was not sufficient to enable us to express, and we did not express, an opinion on 
the financial statements or on the effectiveness of DHS' internal control over financial reporting of 
the balance sheet as of September 30, 2010, and the related statement of custodial activity for the 
year then ended. Additional deficiencies in internal control over financial reporting, potentially 
including additional material weaknesses and significant deficiencies, may have been identified and 
reported had we been able to perform all procedures necessary to express an opinion on the 
financial statements or on the effectiveness of DHS' internal control over financial reporting of the 
balance sheet as of September 30, 2010, and the related statement of custodial activity for the year 
then ended; and had we been engaged to audit the other FY 2010 financial statements, and to 
examine internal control over financial reporting over the other FY 2010 financial statements. 

A control deficiency exists when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, to prevent, or detect and 
correct misstatements on a timely basis. A significant deficiency is a deficiency, or a combination 
of deficiencies, in internal control that is less severe than a material weakness, yet important enough 
to merit attention by those charged with governance. A material weakness is a deficiency, or a 
combination of deficiencies, in internal control, such that there is a reasonable possibility that a 
material misstatement of the entity's financial statements will not be prevented, or detected and 
corrected on a timely basis. 

The Federal Emergency Management Agency (FEMA) is a component of DHS. During our audit 
engagement, we noted certain matters in the areas of information technology (IT) configuration 
management, security management, access controls, segregation of duties, and contingency 
planning with respect to FEMA's financial systems IT general controls, which we believe 
collectively contribute to an IT material weakness at the DHS level. These matters are described in 
the IT General Control Findings and Recommendations section of this letter. 
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The material weakness described above is presented in our Independent Auditors ' Report, dated 
November 12, 2010. This letter represents the separate limited distribution letter mentioned in that 
report. 

The control deficiencies described herein have been discussed with the appropriate members of 
management, and communicated through Notices of Finding and Recommendation (NFR). 

Because of its inherent limitations, internal control over financial reporting may not prevent, or 
detect and correct misstatements. Also, projections of any evaluation of effectiveness to future 
periods are subject to the risk that controls may become inadequate because of changes in 
conditions, or that the degree of compliance with the policies or procedures may 'deteriorate. We 
aim to use our knowledge of FEMA gained during our audit engagement to make comments and 
suggestions that are intended to improve internal control over financial reporting or result in other 
operating efficiencies. We have not considered internal control since the date of our Independent 
Auditors ' Report. 

The Table of Contents on the next page identifies each section of the letter. We have provided a 
description of key FEMA financial systems and IT infrastructure within the scope of our 
engagement to audit the FY 2010 DHS financial statements in Appendix A; a description of each 
internal control finding in Appendix B; and the current status of the prior year NFRs in Appendix C. 
Our comments related to certain additional matters have been presented in a separate letter to the 
Office of Inspector General and the FEMA Chief Financial Officer. 

FEMA's written response to our comments and recommendations, presented in Appendix D, has 
not been subjected to auditing procedures and, accordingly, we express no opinion on it. 

This communication is intended solely for the information and use of DHS and FEMA 
management, DHS Office of Inspector General, U.S. Office of Management and Budget, U.S. 
Government Accountability Office, and the U.S. Congress, and is not intended to be and should not 
be used by anyone other than these specified parties. 

Very truly yours, 
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OBJECTIVE, SCOPE, AND APPROACH 

In connection with our engagement to audit the Department of Homeland Security's (DHS or 
department) balance sheet as of September 30, 2010 and the related statement of custodial activity 
for the year then ended, we performed an evaluation of information technology general controls 
(ITGC) at the Federal Emergency Management Agency (FEMA), to assist in planning and 
performing our audit. The Federal Information System Controls Audit Manual (FISCAM), issued 
by the Government Accountability Office (GAO), formed the basis of our ITGC evaluation 
procedures. The scope of the ITGC evaluation is further described in Appendix A. 

FISCAM was designed to inform financial auditors about IT controls and related audit concerns to 
assist them in planning their audit work and to integrate the work of auditors with other aspects of 
the financial audit. FISCAM also provides guidance to IT auditors when considering the scope and 
extent of review that generally should be performed when evaluating general controls and the IT 
environment of a federal agency. FISCAM defines the following five control functions to be 
essential to the effective operation of the general IT controls environment: 

• Security Management (SM) - Controls that provide a framework and continuing cycle of 
activity for managing risk, developing security policies, assigning responsibilities, and 
monitoring the adequacy of computer-related security controls. 

• Access Control (AC) - Controls that limit or detect access to computer resources (data, 
programs, equipment, and facilities) and protect against unauthorized modification, loss, and 
disclosure. 

• Configuration Management (CM) - Controls that help to prevent unauthorized changes to 
information system resources (software programs and hardware configurations) and provide 
reasonable assurance that systems are configured and operating securely and as intended. 

• Segregation of Duties (SD) - Controls that constitute policies, procedures, and an organizational 
structure to manage who can control key aspects of computer-related operations. 

• Contingency Planning (CP) - Controls that involve procedures for continuing critical operations 
without interruption, or with prompt resumption, when unexpected events occur. 

To complement our general IT controls audit procedures, we also performed technical security 
testing for key network and system devices, as well as testing over certain key financial application 
controls in the FEMA environment. The technical security testing was performed from within a 
select FEMA facility and focused on production devices that directly support FEMA's financial 
processing and key general support systems. Limited social engineering and after-hours physical 
security testing was also included in the scope of technical security testing. 

Additionally, during FY 2009, we were informed by FEMA management that the Grants & 
Training (G&T) Integrated Financial Management Information System (IFMIS) and Core IFMIS 
versions would be merged into one system. Between October 1, 2009 and February 22, 2010, G&T 
and Core IFMIS were both operational and used to process FEMA financial data. As a result, we 
performed testing for both the Core and G&T IFMIS versions. 
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On February 23, 2010, FEMA suspended the use of the G&T IFMIS version and had completed the 
final changes to Core IFMIS which would then become IFMIS-Merger. We were informed that the 
final IFMIS-Merger version went live on February 23, 2010 and is now the system of record. 
Therefore, for the purposes of this letter, the audit testwork conducted over general controls and 
weaknesses identified for Core IFMIS are reported as part of controls over IFMIS-Merger. 

In addition to testing FEMA's general control environment, we performed application control tests 
on a limited number of FEMA's financial systems and applications, specifically those supporting 
the National Flood Insurance Program (NFIP). The application control testing was performed to 
assess the controls that support the financial systems' internal controls over the input, processing, 
and output of financial data and transactions. Application Controls (APC) are the structure, 
policies, and procedures that apply to separate, individual application systems, such as accounts 
payable, inventory, or payroll. 
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SUMMARY OF FINDINGS AND RECOMMENDATIONS 

During fiscal year (FY) 2010, FEMA took corrective action to address certain prior year IT control 
weaknesses. For example, FEMA made improvements over implementing certain logical and 
physical access controls over NFIP information systems, as well as development and maintenance 
of the inventory of FEMA Chief Financial Officer (CFO)-designed financial management systems. 
However, during FY 2010, we continued to identify ITGC weaknesses that could potentially impact 
FEMA's financial data. The most significant weaknesses from a financial statement audit 
perspective related to controls over security management, access control, configuration 
management , and contingency planning for the IFMIS-Merger, G&T IFMIS, the National 
Emergency Management Information System (NEMIS), Payment and Reporting System (PARS), 
Traverse, Transaction Record Reporting and Processing (TRRP), and associated General Support 
System (GSS) environments, as well as weaknesses over physical security and security awareness. 
Collectively, the ITGC weaknesses limited FEMA's ability to ensure that critical financial and 
operational data were maintained in such a manner to ensure confidentiality, integrity, and 
availability. In addition, these weaknesses negatively impacted the internal controls over FEMA 
financial reporting and its operation, and we consider them to collectively contribute to a material 
weakness at the DHS level under standards established by the American Institute of Certified Public 
Accountants. In addition, based upon the results of our test work, we noted that FEMA did not fully 
comply with the requirements of the Federal Financial Management Improvement Act of 1996. 

Of the 63 findings identified during our FY 2010 testing, 50 were repeat findings, either partially or 
in whole from the prior year, and 13 were new IT findings. These findings represent weaknesses in 
each of the five FISCAM key control areas. 

The majority of findings resulted from the lack of properly designed, detailed, and consistent 
guidance over financial system controls to enforce DHS Sensitive Systems Policy Directive 4300A, 
Information Technology Security Program, requirements and National Institute of Standards and 
Technology (NIST) guidance. Specifically, the findings stem from: 1) the lack of formal 
designation of financial system security responsibilities, 2) inadequately designed and operating 
access control policies and procedures relating to the management of access to financial 
applications, databases, and support systems, and supervisor recertification of user access 
privileges, 3) insufficient logging of system events and monitoring of audit logs, 4) inadequately 
designed and operating configuration management policies and procedures, 5) patch, configuration, 
and vulnerability management control deficiencies within the system, 6) financial systems that were 
not properly certified and accredited and authorized to operate, and 7) the lack of adequately 
documented or tested contingency plans. These weaknesses may increase the risk that the 
confidentiality, integrity, and availability of system controls and FEMA financial data could be 
exploited, thereby compromising the integrity of FEMA financial data used by management and 
reported in the DHS financial statements. 

While the recommendations made by us should be considered by FEMA, it is the ultimate 
responsibility of FEMA management to determine the most appropriate method(s) for addressing 
the weaknesses identified based on their system capabilities and available resources. 
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IT GENERAL CONTROL FINDINGS AND RECOMMENDATIONS 

Findings: 

During the FY 2010 DHS financial statement audit engagement, we identified the following 
financial system ITGC deficiencies at FEMA that collectively contribute to an IT material weakness 
at the department level. Our findings focused on financial systems controls as testing over IT 
system functionality could not be conducted. 

Configuration Management: 

• Documented and approved procedures that establish formal requirements, processes, and 
responsibilities for performing regular vulnerability scans of NEMIS, IFMIS-Merger and 
G&T IFMIS had not been developed and implemented. Additionally, during periodic 
internal scans, vulnerabilities identified and related corrective actions were not reported and 
tracked via the Plan Of Action &Milestones (POA&M) process in accordance with DHS 
policy. 

• Formal procedures for conducting internal scans of the NFIP Local Area Network (LAN) 
supporting Traverse were not developed, and scans were not conducted by FEMA or NFIP 
contractor management. Additionally, a formal process did not exist for the remediation of 
vulnerabilities identified during internal scans to ensure that the vulnerabilities were tracked 
and monitored via the POA&M process. 

• The list of NEMIS servers currently scanned internally by FEMA is incomplete and does 
not represent the current NEMIS system boundary. Additionally, NEMIS system owners 
are not receiving listings of all vulnerabilities noted on their system components to ensure 
corrective action is assigned for tracking and remediation. 

• The Standard Operating Procedure (SOP) for monitoring sensitive access to NEMIS 
operating system software was not implemented and did not include all NEMIS operating 
system servers that were within scope. Additionally, no application or tool was in place to 
support the audit logging function on the NEMIS servers. 

• NEMIS configuration management is not adequately and centrally controlled, documented, 
or managed throughout the lifecycle of the FEMA configuration management process. 
Additionally, implemented emergency and non-emergency changes to NEMIS system 
software were not consistently documented, tested, approved, controlled, tracked, and 
retained on file. 

• No formalized change management procedures exist for deploying changes to the NEMIS 
production environment to ensure that the movement of production code for NEMIS is 
appropriately controlled. Additionally, evidence could not be provided that management 
had appropriately restricted and controlled access to the NEMIS production application, 
web, and database servers for the deployment of changes. 

• G&T IFMIS contracted developers/programmers were granted unrestricted access to the 
production environment through the "ifmiscm" account, which was used to deploy changes 
into production. 
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• Comprehensive configuration baselines for all relevant network devices such as firewalls, 
routers, and switches that support in-scope financial systems had not been established. 
Furthermore, configuration management policies and procedures did not include 
comprehensive requirements for the frequency, documentation and performance of 
monitoring audits for these baselines to ensure that configuration items (CIs) within the 
scope of the IFMIS-Merger and NEMIS systems are documented and monitored in 
accordance with FEMA policy. 

• Adequate segregation of duties controls had not been established for the movement of 
IFMIS-Merger changes into production as the IFMIS-Merger developer migrates changes 
into production. Additionally, formal procedures were not implemented to require 
monitoring of developers' changes to IFMIS-Merger directories and sub-directories to 
review and validate implemented changes. Furthermore, informal reviews of developer 
activities that were conducted did not provide enough information to ensure that the 
approved changes were implemented. 

• Throughout the lifecycle of the project to merge G&T IFMIS and Core IFMIS to IFMIS- 
Merger, FEMA management did not adequately define, implement, and integrate the 
required elements of the DHS System Engineering Life Cycle (SELC) process. We noted 
that the project lacked defined project review stages and approvals, system security 
requirements and milestones were not documented and integrated into the project plan, and 
a Data Migration Plan and Testing Strategy could not be provided. 

• The configuration management plans for IFMIS-Merger, Traverse, and TRRP did not 
comprehensively provide guidance to address all configuration management control 
elements required by FEMA and DHS policy for standard and emergency changes. 

• TRRP changes were not approved prior to development and implementation into 
production. 

• Formal patch management procedures for approving, testing, and ensuring timely 
installation of operating system patches for NEMIS, IFMIS-Merger, and G&T IFMIS were 
not developed and finalized until April 2010. Additionally, FEMA had not fully and 
consistently implemented the requirements and procedures documented. 

• Documented change management procedures did not include requirements for approving, 
testing, and ensuring timely installation of operating system patches for the NFIP LAN 
supporting Traverse. 

• The third-party development vendor was allowed use of NFIP system administrator 
accounts to logon and create sessions for installing Traverse system changes, and a formal 
process was not established for monitoring changes made by the vendor. 

Security Management: 

• Policies and procedures requiring the completion and tracking of specialized training for 
FEMA employees and contractors with significant information security responsibilities had 
not been established or implemented as required by DHS policy. Additionally, with the 
exception of Information System Security Officers (ISSOs), FEMA had not formally 
identified all individuals or positions that were subject to the training requirements. 
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• G&T IFMIS was not certified and accredited prior to implementation into the production 
environment in FY 2007 and had been operating without an Authorization to Operate 
(ATO) for the majority of FY 2010. 

• Web and application servers for PARS had not been certified and accredited, and the PARS 
database operated for the majority of FY 2010 without an adequate ATO. 

• ISSOs were not formally designated for G&T IFMIS and PARS for the majority of the 
fiscal year. 

• Certification and accreditation (C&A) activities for IFMIS-Merger and NEMIS were not 
completed in accordance with DHS and NIST requirements. 

• The FEMA Switch Network (FSN)-2 C&A package was not completed in compliance with 
DHS and NIST requirements and had not been updated to reflect the current operating 
environment. Additionally, the ATO expired in January 20 1 and was not renewed. As a 
result, the FSN-2 GSS was operating without a valid ATO. 

• Although the FSN-2 C&A package references various subsystems supporting and hosting 
IFMIS and NEMIS, FEMA management was unable to identify and confirm the FSN-2 
subsystems (including regional LANs) that host all the production servers for NEMIS and 
IFMIS applications. 

• The system security plan (SSP) for NEMIS did not fully document the systems boundaries, 
define all subsystems and major applications, or document the assignment of FEMA 
personnel with security responsibilities for all system components. 

• The C&A for the legacy NFIP IT system pertaining to the Traverse application, TRRP 
application, and NFIP LAN had not been certified and accredited or fully authorized for 
operation, in accordance with DHS policy for FY 2010. 

• Procedures for managing FEMA IT security incidents were not developed, approved, and 
implemented, in accordance with DHS policy. 

• Entity-level corrective actions to integrate and develop sufficient and effective methods of 
communication to ensure that significant financial-related system development and 
acquisition projects involve all relevant stakeholders, including the Office of the Chief 
Financial Officer (OCFO), had not been established. Additionally, FEMA management had 
not taken action to enhance and further develop current acquisition management processes 
to ensure that organization-specific requirements exist and are implemented so that each 
project meets organizational mission needs and functional and technical requirements as 
required by DHS and NIST guidance. 

• IT security management responsibilities were not consistently or adequately assigned and 
performed over the FEMA POA&M process for FY 2009 IT audit findings, in accordance 
with DHS guidance. 

• Suitability investigations for FEMA federal employees and contractors were not 
appropriately conducted, and position sensitivity levels associated with employees and 
contractors with elevated system privileges did not have appropriate position sensitivity 
designations. Additionally, formal procedures were not developed or implemented for 
conducting suitability screenings for contractors accessing DHS IT systems. 
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• FEMA did not have a process for centrally tracking the status of contractors or an effective 
and formal process for notifying the Office of the Chief Information Officer (OCIO) of 
changes in contractor status so that contractor user accounts could be appropriately 
disabled, removed, or modified in a timely manner. 

Related to security management, we performed after-hours physical security testing to identify risks 
related to non-technical aspects of IT security. These non-technical IT security aspects included 
physical access to media and equipment that housed financial data and information residing on a 
FEMA employee's / contractor's desk which could be used by others to gain unauthorized access to 
systems housing financial information. The specific results are listed below: 



Exceptions Noted 


FEMA Locations Tested 


Total 
Exceptions by 
Type 


Washington 
Design Center 


Patriots Plaza 


TechWorld 


Passwords 


5 


3 


3 


11 


For Official Use Only 
(FOUO) 





1 





1 


Keys 














Personally Identifiable 
Information (PII) 


3 


2 


3 


8 


External Drives 








1 


1 


Server Names/ IP Addresses 


2 


2 





4 


Credit Card Numbers 





1 


1 


2 


Classified Documents 














Other 


1 


2 


3 


6 


Total by Location 


11 


11 


11 


33 



To complement FY 2010 security management audit procedures, social engineering testing was 
conducted. Social engineering is defined as the act of attempting to manipulate or deceive 
individuals into taking action that is inconsistent with DHS policies, such as divulging sensitive 
information or allowing / enabling computer system access. The term typically applies to trickery 
or deception for the purpose of information gathering or gaining computer system access. During 
the social engineering testing, several personnel provided us with user IDs and/or passwords. The 
specific results of our testing are documented in the table below: 



Testing 
Date 


Total 
Called 


Total 
Answered 


# of Personnel Who 
Provided Their User 
ID and Password 


# of Personnel 
Who Provided 
Their User ID 
Onlv 


# of Personnel 
Who Provided 
Their Password 
Onlv 


07/08/2010 


25 


11 


2 


4 





08/11/2010 


34 


11 


1 


8 


1 
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Access controls: 

• Password, security patch management, and configuration deficiencies were identified 
during the vulnerability assessment on hosts supporting the key financial applications and 
general support systems. 

• TRRP, IFMIS-Merger, G&T IFMIS, NEMIS, and PARS application and/or database 
accounts, network accounts, and remote user accounts were not periodically reviewed for 
appropriateness and/or were not fully and accurately recertified in accordance with FEMA 
and DHS policy, resulting in inappropriate authorizations and excessive user access 
privileges. For G&T IFMIS, we determined that recertification of user accounts had not 
been conducted since the application was implemented at FEMA in FY 2007. 

• IFMIS-Merger, G&T IFMIS, and NEMIS application accounts, network accounts, and 
remote user accounts were not disabled or removed promptly upon personnel termination. 

• Initial and modified access granted to IFMIS-Merger, G&T IFMIS and PARS financial 
application and/or database, network, and remote users was not properly documented and 
authorized. 

• Documented procedures for auditing NEMIS, IFMIS-Merger, G&T IFMIS, and PARS 
databases were not comprehensive and did not meet DHS requirements. Additionally, for 
these financial systems and the NFIP LAN and TRRP, logging of operating system, 
application, and/or database events required to be recorded were not enabled for some or all 
of the events, audit logs were not appropriately reviewed and/or were reviewed by those 
with conflicting roles, and evidence of audit log reviews was not retained. 

• Strong password requirements were not enforced on the NEMIS, IFMIS-Merger, G&T 
IFMIS, and PARS databases and the FEMA LAN. 

• FEMA's process for authorizing and managing remote virtual private network (VPN) 
access to external state emergency management agencies and FEMA contractors did not 
comply with DHS and FEMA requirements. Specifically, existing documentation did not 
define the requirements for administering the site survey process with external 
organizations seeking VPN access or identify FEMA roles and responsibilities for 
managing VPN access granted to external individuals using non-DHS equipment to access 
the FEMA network. 

• A formalized process for modifying IFMIS-Merger system security functions to ensure that 
appropriate privileges are created, documented, approved, and monitored did not exist. 

• Two-factor authentication was not used for VPN access, as required by DHS policy. 

• System administrator root access to IFMIS-Merger and G&T IFMIS were not properly 
restricted, logged, and monitored. 

• Emergency and temporary access to the IFMIS-Merger and G&T IFMIS databases was not 
properly authorized, and contractor development personnel were granted conflicting access 
to implement database changes. 
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Segregation of Duties: 

• Access was inappropriately granted to NEMIS developers to allow unrestricted access to 
both the production and development code in the Test and Development Laboratory (TDL) 
environment, and NEMIS code approved for implementation was not locked down within 
the TDL environment prior to deployment to production to further restrict developer access. 

• Additional segregation of duties weaknesses were noted in other FISCAM areas. 
Specifically, weaknesses in those areas pertain to access controls over audit log reviews and 
configuration management controls for migrating code into production. See those 
respective sections for additional information. 

Contingency Planning: 

• An alternate processing site for NEMIS was not established and implemented. 
Additionally, an exception to DHS policy for the lack of an established alternate processing 
site, as required for systems such as NEMIS that are categorized as "high impact" for 
availability, had not been requested by FEMA. 

• Documented procedures that outline processes for performing backups of NEMIS 
production databases and for rotating and physically securing backup tapes off-site had not 
been formally defined. Additionally, evidence that all databases were being backed up 
could not be provided. 

• NEMIS backup tapes were not regularly tested in accordance with FEMA and DHS policy. 

• Full scale testing of the NEMIS contingency plan was not conducted, and the plan did not 
adequately and comprehensively include information for fully restoring NEMIS in 
accordance with requirements for high impact availability systems or accurately include 
NEMIS system architecture information. 

• The existing NFIP LAN and Traverse contingency plan was not updated and in compliance 
with DHS and NIST requirements. Additionally, the plan had not been tested within the 
past 12 months, and no alternate processing site had been identified. 

• A documented and approved IT contingency plan for the mainframe environment 
supporting the TRRP system has not been completed, and contingency testing over TRRP 
was not sufficiently conducted in accordance with DHS and NIST requirements. 

• The NFIP contractor's Continuity of Operations Planning (COOP) for Traverse and TRRP 
could not be provided for auditor review. 

Recommendations: 

No recommendations are required for the G&T IFMIS portions of the conditions noted above as the 
system was decommissioned in June 2010. We recommend that the FEMA Chief Information 
Officer (CIO) and Chief Financial Officer (CFO), in coordination with the DHS OCFO and the 
DHS OCIO, make the following improvements to FEMA's financial management systems and 
associated information technology security program. 
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For Configuration Management: 

• Develop, finalize, and implement formal procedures over NEMIS and IFMIS-Merger 
operating systems and the NFIP LAN supporting Traverse for: (1) conducting periodic 
internal vulnerability scans of FEMA and NFIP financial systems; (2) assessing, reporting, 
tracking, and monitoring correcting vulnerabilities identified during internal scans; and (3) 
ensuring procedures are implemented for all components of the systems; 

• Revise, implement, and ensure adherence to the SOP for monitoring sensitive access to 
NEMIS operating system software to ensure that the scope of the procedures includes all 
defined NEMIS servers, and deploy the appropriate tool(s) to support audit logging 
functions on the NEMIS servers, in accordance with FEMA and DHS policy; 

• Develop and implement configuration management policies and procedures for NEMIS 
emergency and non-emergency changes to financial systems application software, and 
ensure consistent adherence with requirements for approving, testing, documenting, 
properly controlling and tracking changes, and retaining related documentation; 

• Document and implement a formalized process and procedures for deploying NEMIS 
changes to ensure that the movement of production code for the NEMIS production 
environment is appropriately controlled; 

• Revise and implement configuration management policies and procedures over 
documenting and maintaining current baseline configurations for network devices 
supporting financial applications, including IFMIS-Merger and NEMIS, to ensure DHS and 
FEMA requirements are adequately addressed and configuration baselines are 
comprehensively documented by FEMA. Additionally, policies and procedures should 
include guidance over requirements such as roles and responsibilities, documentation of 
baselines, periodic review and auditing, and approval of baseline changes for network 
devices; 

• Limit IFMIS-Merger developer access to the production environment to "read only," and 
segregate the responsibility for deploying application code changes into production from 
the development contractor to an independent control group. If business needs require that 
the segregation of duties cannot be immediately implemented, develop and implement 
formal procedures for conducting periodic reviews of IFMIS-Merger developer changes to 
financial application directories and sub-directories to verify that only authorized changes 
are implemented into production and for retaining evidence of reviews conducted on file; 

• Conduct and document a lessons learned report related to the IFMIS-Merger project per 
DHS SELC guidance; 

• Update the current versions of IFMIS-Merger, Traverse, and TRRP configuration 
management plans and procedures to comprehensively address DHS and FEMA 
requirements. Additionally, ensure the implementation of updated versions of the current 
IFMIS-Merger, Traverse, and TRRP configuration management procedures. The 
procedures should require initial approvals of change requests and establish a process for 
obtaining Change Control Board and Technical Review Committee approvals prior to 
implementing standard and emergency changes into production; 
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• Dedicate the appropriate resources to complete efforts to further document and fully 
implement comprehensive patch management policies and procedures for NEMIS and 
IFMIS-Merger; 

• Document, finalize, and implement comprehensive patch management policies and 
procedures that outline requirements for authorizing, testing, and installing required patches 
for the NFIP LAN operating system supporting Traverse; and 

• Limit Traverse development vendor access to the production environment to "read only," 
and segregate the responsibility for deploying application code changes into production 
from the development contractor to an independent control group. If business needs require 
that the segregation of duties cannot be immediately implemented, establish a separate 
account for use by the NFIP third-party development vendor when implementing Traverse 
changes that is limited to activation on an as-needed basis, and establish a process for 
monitoring and verifying that configuration changes by the vendor are implemented and 
documented in accordance with policy. 

For Security Management: 

• Develop and implement policies and procedures requiring initial and periodic specialized 
training for individuals with significant information security responsibilities. Policies and 
procedures should identify specific roles and positions possessing significant information 
security responsibilities that are subject to specialized training requirements and include 
requirements for tracking training; 

• Certify and accredit all components of PARS in accordance with applicable DHS policies 
and Federal guidance, and formally designate an ISSO for all components of the system; 

• Update and complete all required C&A artifacts for NEMIS, IFMIS-Merger, Traverse, 
TRRP, the NFIP LAN and FSN-2 in accordance with DHS policy and NIST guidance. 
Additionally, ensure that C&A artifacts, including the risk assessment or the results of the 
required risk assessment activities, the Security Testing and Evaluation (ST&E), and the 
Security Assessment Report (SAR) are conducted and documented over all components of 
the systems in accordance with established DHS baseline controls according to the security 
categorization of the system; 

• Ensure that the NEMIS SSP is updated in accordance with DHS policy so that the system's 
boundaries, components, and roles and responsibilities are properly defined and 
documented. Additionally, implement a formal process for periodically reviewing and 
assessing system documentation to ensure software and hardware components are 
accurately reflected; 

• Develop and implement approved procedures for managing security incidents that clearly 
outline roles and responsibilities required to maintain a continuous incident response 
capability, and provide training to all personnel with assigned roles and responsibilities; 

• Define and implement formal and repeatable processes to ensure that financial systems 
development and acquisition projects are conducted in compliance with DHS SELC and 
acquisition requirements and Federal guidance; 
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• Establish and document a formalized process to provide IT security management oversight 
to ensure that adequate periodic review and assessment of security controls are performed 
and corrective actions are appropriately assigned and implemented over identified security 
weaknesses through the POA&M process; 

• Further refine processes to ensure that background investigations for all types of federal 
employees and contractors are performed, and reevaluate and assign the correct position 
sensitivity levels for federal employees and contractors with access to DHS information 
systems. FEMA Acquisitions, FEMA Personnel Security, and FEMA IT should also work 
together to implement procedures to ensure a more centralized and coordinated process for 
tracking and completing background investigations over contractor personnel, in 
accordance with DHS policy; 

• Document and implement procedures for tracking contractor on-boards, transfers, and 
separations that include assignment of roles and responsibilities to appropriate FEMA 
management and stakeholders and steps for notifying the OCIO and system owners of 
changes in contractor status that require changes to user access; and 

• Review the effectiveness of existing security awareness programs designed to protect 
"need-to-know" information, including IT system access credentials, electronic and 
physical data, PII, and FOUO agency information, and ensure that individuals are 
adequately instructed and reminded of their roles in the protection of sensitive system 
information from unauthorized individuals through formal, periodic communications and/or 
security awareness training. 

For Access Controls: 

• Implement the specific vendor-recommended corrective actions detailed in the Notice of 
Finding and Recommendation (NFR) that was issued for deficiencies identified during our 
vulnerability assessment; 

• Fully establish and/or implement user account management recertification processes and 
require completion of periodic reviews of all user accounts for appropriate access and 
documentation of current user profiles on IFMIS-Merger, NEMIS, TRRP, and PARS as 
well as the FEMA/NFIP networks and remote user accounts. The processes should include 
revocation of accounts that cannot be verified during recertification processes; 

• Update, as necessary, and consistently implement procedures and processes to ensure that 
all system accounts, including remote access accounts, of terminated employees and 
contractors are immediately removed/disabled upon their departure; 

• Review and revise existing procedures to require documented authorization of new and 
modified user accounts by supervisors, program managers, and contracting officers' 
technical representatives in accordance with DHS requirements; 

• Revise and implement detailed procedures requiring the consistent and timely review of 
IFMIS-Merger, NEMIS, and PARS database and financial application logs and the 
maintenance of documentation supporting such reviews in accordance with DHS 
requirement. These procedures should also incorporate segregation of duties principles; 
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• Configure audit logs for financial databases and applications to ensure that auditable events, 
as required by DHS policy, are recorded and appropriately reviewed by personnel without 
conflicting duties, and sufficient evidence is retained; 

• Configure NEMIS, IFMIS-Merger, and PARS databases and FEMA LAN accounts to 
enforce strong password and authenticator control requirements, and ensure that individuals 
with system/database administration and security responsibilities are aware of and properly 
trained in DHS, FEMA, and Federal requirements; 

• Revise and implement policies and procedures for documenting, reviewing, and approving 
the security controls in place over non-DHS equipment connecting to the FEMA network 
via VPN access, and ensure that roles, responsibilities, and security requirements for 
authorizing and managing VPN access for external organizations connecting to the FEMA 
network are defined and implemented in accordance with DHS and FEMA policy; 

• Develop and implement policies and procedures that document the process of adding, 
deleting, and modifying IFMIS-Merger security functions to ensure that the proper controls 
are in place for modifying user account privileges. Additionally, ensure that the use of 
function modification privileges is monitored; 

• Implement and require two-factor authentication for all remote access to the FEMA 
network; 

• Develop and implement procedures for monitoring IFMIS system administrator and highly- 
privileged account activities and restricting access to the root account, and ensure that 
reviews of system logs and records are properly conducted; and 

• Establish a formal process for granting IFMIS-Merger emergency and temporary database 
access that includes segregation of duties considerations and appropriate approval from 
FEMA management as required by DHS policy. 

For Segregation of Duties: 

• Develop and implement formal processes and procedures for restricting and monitoring 
access to the NEMIS TDL directories to ensure that the principles of least privilege and 
segregation of duties are enforced. The processes should include requirements over the 
monitoring of NEMIS TDL directories to ensure that no changes have occurred after the 
approval of NEMIS system changes has occurred and should limit developers' access to the 
approved code for production to "read only." 

For Contingency Planning: 

• Complete on-going efforts to establish and implement an alternate processing site for 
NEMIS; 

• Ensure that a formal process is established and implemented to fully backup all necessary 
components of the NEMIS database and periodically test NEMIS backup media at a 
frequency that is in accordance with FEMA and DHS policy; 

• Update the NEMIS contingency plan in accordance with DHS requirements for high impact 
availability systems, inclusive of accurate system architecture information; conduct 

Information Technology Management Letter for the FEMA Component of the FY 2010 DHS 

Financial Statement Audit 
Page 13 



Department of Homeland Security 
Federal Emergency Management Agency 

Information Technology Management Letter 
September 30, 2010 

documented annual tests of the plan; and as necessary, update the plan with lessons learned 
from testing; 

• Update and appropriately test the NFIP contingency plan pertaining to the NFIP LAN and 
Traverse system, in accordance with DHS requirements; identify alternate processing sites 
for each system; and test fail-over capability at the alternate processing site; 

• Develop, document, and fully implement an IT contingency plan for TRRP in accordance 
with DHS requirements; conduct documented annual tests of the plan; and as necessary, 
update the plan with lessons learned from testing; and 

• Document, implement, and maintain the NFIP COOP to ensure required elements for 
Traverse and TRRP are included in accordance with DHS guidance for high impact 
systems. 

APPLICATION CONTROLS 

We concluded that application controls over NEMIS, IFMIS-Merger, G&T IFMIS, and PARS could 
not be relied upon for purposes of our FY 2010 audit procedures because of the nature of the 
general IT control deficiencies identified and discussed above. As a result, we did not test 
application controls for these financial systems. However, we conducted certain application control 
testing over key financial systems supporting NFIP. Based on the testwork conducted, we did not 
identify any findings in the area of application controls related to NFIP during the FY 2010 DHS 
financial statement audit engagement. 



MANAGEMENT'S COMMENTS AND OIG RESPONSE 

We received written comments on a draft of this report from FEMA's Chief Information Officer. 
Generally, FEMA agreed with our findings and recommendations. FEMA's management has 
developed a remediation plan to address these findings and recommendations. A copy of the 
comments is included in Appendix D. 

OIG Response 

We agree with the steps that FEMA's management is taking to satisfy these recommendations. 
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FY 2010 DHS Financial Statement Audit Engagement 
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Below is a description of significant FEMA financial management systems and supporting IT 
infrastructure included in the scope of the DHS FY 20 1 financial statement audit engagement. 



Locations of Testing FEMA Headquarters in Washington, D.C.; the Mount Weather Emergency 
Operations Center in Bluemont, Virginia; IT operations in Winchester, Virginia; NFIP in Crystal 
City, Virginia; and the NFIP contractor location in Lanham, Maryland (which was later moved in 
August 2010 to Landover, Maryland). 

Systems Subject to Audit: 

Core Integrated Financial Management Information System (IFMIS) 1 (Operational through 
February 22, 2010) Core IFMIS was the key financial reporting system and had several feeder 
subsystems (budget, procurement, accounting, and other administrative processes and reporting). 
The application was a Commercial Off-The Shelf (COTS) software package developed and 
maintained by Digital Systems Group Incorporated (DSG). 

Grants and Training (G&T) IFMIS 2 (Operational through February 22, 2010) In April 2007, the 
Office of G&T that was previously under the Department of Justice was transferred to FEMA. Due 
to the short amount of time given to FEMA to take over the financial management role for G&T in 
FY 2007, a separate instance of IFMIS was inherited from the Department of Justice, resulting in 
two separate IFMIS instances at FEMA. G&T IFMIS held all former G&T financial information. 
The application was a COTS software package developed and maintained by DSG. 

IFMIS-Merger 3 (Operational beginning February 23, 2010) IFMIS-Merger is the official 
accounting system of FEMA and maintains all financial data for internal and external reporting. 
IFMIS-Merger is comprised of five subsystems: Funding, Cost Posting, Disbursements, Accounts 
Receivable, and General Ledger. The application is a COTS software package developed and 
maintained by DSG. 



1 During FY 2009, FEMA management reported that the G&T IFMIS and Core IFMIS versions would be 
merged into one system. Between October 1, 2009 and February 22, 2010, G&T and Core IFMIS were both 
operational and used to process FEMA financial data. On February 23, 2010, FEMA suspended the use of the 
G&T IFMIS version and had completed the final changes to Core IFMIS which would then become IFMIS- 
Merger. The final IFMIS-Merger version went live on February 23, 2010 and is now the system of record. 

2 G&T IFMIS was decommissioned in June 2010 after the merger of G&T IFMIS and Core IFMIS in 
February 2010. 

3 On February 23, 2010, the final IFMIS-Merger version went live on February 23, 2010 and is now the 
system of record. 
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Payment and Reporting System (PARS) 

PARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger 
UNIX server 4 . Through its web interface, PARS collects Standard Form 425 (SF-425) information 
from grantees and stores the information in its Oracle 9i database. Automated chronologic jobs are 
run daily to update and interface grant and obligation information between PARS and IFMIS- 
Merger. All payments to grantees are made through IFMIS-Merger. Prior to the IFMIS-Merger 
instance in February 2010, the PARS application interfaced with G&T IFMIS. 

National Emergency Management Information System (NEMIS) 

NEMIS is a FEMA-wide system of hardware, software, telecommunications, services, and 
applications. NEMIS consists of many integrated subsystems distributed over hundreds of 
separate servers accessed by thousands of client workstations. 

NEMIS is an integrated system to provide FEMA, the states, and other federal agencies with 
automation to perform disaster related operations. NEMIS supports all phases of emergency 
management and provides financial related data to IFMIS via an automated interface. 

Traverse 

Traverse is the general ledger application currently used by the NFIP Bureau and Statistical Agent 
to generate the NFIP financial statements. Traverse is a client-server application that runs on the 
NFIP LAN Windows server environment in Landover, Maryland (previously Lanham, Maryland). 
The Traverse client is installed on the desktop computers of the NFIP Bureau of Financial Statistical 
Control group members. 

Transaction Recording and Reporting Processing (TRRP) 

The TRRP application acts as a central repository of all data submitted by the Write Your Own 
(WYO) companies for the NFIP. TRRP also supports the WYO program, primarily by ensuring the 
quality of financial data submitted by the WYO companies to TRRP. TRRP is a mainframe -based 
application that runs on the NFIP mainframe logical partition in Norwich, Connecticut. 



4 Prior to the merger of Core IFMIS and G&T IFMIS, PARS resided on the Core IFMIS server. 
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Appendix B 

FY 2010 Notices of IT Findings and Recommendations at the 
Federal Emergency Management Agency 
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Notice of Findings and Recommendations (NFR) - Definition of Severity Ratings: 

Each NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on 
the DHS Consolidated Independent Auditors' Report. 

1 - Not substantial 

2 - Less significant 

3 - More significant 

The severity ratings indicate the degree to which the deficiency influenced the determination of 
severity for consolidated reporting purposes. 

These ratings are provided only to assist FEMA in the development of its corrective action plans for 
remediation of each deficiency. 
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Disposition 


NFR No. 


Description 


Closed 


Repeat 


FEMA-IT-09-02 


r^onfi tTiirjitioii TVTjuiJKTpmpiit AA/pjiknpQQp*; nn TT^TVlTSl T\FT^1VTTS» anrl TCpv 

V V J 1 1 1 1 Li LI 1 CI 1 1 V 1 1 IVxdllCiiiL' lllLxl 1 VV L-dXVll^ooL'D VJ11 11 IVXXk?, ±>l X^lVlXkJ, dllU Ivvj 

Support Servers (vulnerability assessment finding) 




FEMA-IT- 10-41 


FEMA-IT-09-03 


Weaknesses Exist over Recertification of Access to IFMIS 




FEMA-IT-10-14 


FEMA-IT-09-06 


Oocnmpntation Snnnortinp' flip TFlVfTSl ITkpi* Pnncrions F)opk Not 
Exist 




FEMA-IT- 10-49 


FEMA-IT-09-12 


NEMIS Access Controls Need Improvement 




FEMA-IT- 10-01 


FEMA-IT-09-13 


Employee Termination Process for Removing System Access Should 
be More Proactive 




FEMA-IT- 10-21 


FEMA-IT-09-17 


System Programmers Have the Ability to Migrate Code into the 
IFMIS Production Environment 




FEMA-IT- 10-3 9 


FEMA-IT-09-19 


Monitoring of NEMIS System Software Needs Improvement 




FEMA-IT- 10-04 


FEMA-TT-09-22 


Alternate Processing Site for NEA/TTS Mas Not Reen Established 




FEMA-TT- 10-02 

x i - . y i j \ xx x w \j a* 


FEMA-IT-09-24 


NEMIS Backups are Not Tested in Accordance with Policy 




FEMA-IT- 10-3 6 


FEMA-TT-09-25 


The NFMTS Pnntintrpnrv Plan is Nnt Tested 

111^ l^ll^lVllO V^UlllllltitllV V 1 idll lo I^IUI 1 CHILLI 




FEMA-TT-1 0-20 

1 L/1V1/Y 1 11 U Z,U 


FEMA-IT-09-28 


NEMIS Configuration Management Process for Non-Emergency 

("'hfinp'P^ lSFppfta Tmnrnvprnpnt 

V-'lldllgL'O liLtUo xlllljl \J V t/lllt/lll 




FEMA-TT-1 0-62 


FFMA-TT-09-29 


T\FPlVlT^l Fmprapnpv f^ii^ntrp Prnppcc T\FppHq Trrrnrnvprnpnt 

1>I1_<1V110 -LlHtl eiCllV V V^llCllliiC 1 lUvtSS I'lt't'US 1111U1 \J V ClllClll 




FEMA-TT-1 0-62 

i ijivirv 1 11 \j uz. 


FEMA-IT-09-38 


Segregation of Duties Not Enforced for Traverse 


X 




FEMA-IT-09-39 


iiaveu>e ^uiiuii^eiicy iiaii inui lesicu aiiu iNrir L/isa&ici ivccuveiy 
and COOP Needs Improvement 




FEMA-IT- 10-61 


FEMA-IT-09-45 


irlvllo LJdCI jtVCCCSS IS 11UI IVldllagCU 111 jrVCCOlUallCC Willi jrVCCOUlll 
1VT tinn (Tpmpnt Prnpprhirpe 

LVldlldg, till till 1 HJ^GULlltS 




FEMA-TT-1 0-26 

i ijivirv 1 11 \j jL KJ 


FEMA-IT-09-46 


IFMIS System Interconnections Agreements Have Not Been 

R pniitnon 7pn 

1VGCIL1111U11Z.GU 


X 




FEMA-IT-09-48 


f^nrrpptivp Aptinn nvpr "NTPlVfT^l \/ii1nprnhi1itipe ie Nnt T*"nrmn11v 

V-'UllCVllVC jTWllvJll vJVCl 1>I1_,1V110 V LllllCldUlllllCo IS 1>HJI 1 \Jlllldliy 

Documented 




FEMA-IT-10-33 


FEMA-IT-09-50 


XA/piil^npccpc pvict rwfRY TWA/Tlx AnnliPiitirvn '.i tn\ Tiiitiiniicp AnHit 
VV CclxvllCooCo IjAIM UVC1 11 IVllO jTYjJjJllVcllitJll dlltl LJalauaa\^ .rYUUll 

Logging 




FEMA-IT-10-11 


FEMA-TT-09-51 


NTT^A/fT^ Oriiplp Anrlit T ntrmntr ic Mnt Triiplrprl 
LMl^lVllO V^ldVlC jTVLIUII .HJhililllhi 1?> IMUl 1 IdClvCU 




FFMA-TT-1 D-DQ 


FEMA-IT-09-52 


FvictiiiO" T\FT^lVTT^l P^tpn IVftnintTPinpiit {"rinrtaiipp T\[ppnQ to hp 

LAiailllg, 1>IJ_/1V110 1 dlVll IVldlld^ClllClll VJLilUdllVC IiCtUS IKJ uc 

Tmnlpmpntpd 




FEMA-TT-1 0-35 

x i - . v i y \ xx x w ~j *~j 


FEMA-IT-09-53 


The NEMTS SSP Had Not Been Fullv Undated in Accordance with 

X 1 IV. J. 1 X_/_l_VXXkJ k_J J X XtlA-l X_J V. V. 11 X LI 11 V W \J VlCl Vi 111 l \\-\-\ I Y V_i CI 1 1 V_ VV 1111 

DHS Policy 




FEMA-IT-10-18 


FEMA-IT-09-54 


Traverse Application Management Needs Improvement 




FEMA-IT- 10-5 8 


FEMA-IT-09-56 


G&T IFMIS Oracle Database Security Controls are Not Configured 
Properly 




FEMA-IT- 10-27 


FEMA-IT-09-57 


G&T IFMIS Oracle Database Auditing is Not Sufficient 




FEMA-IT- 10- 13 


FEMA-IT-09-58 


Recertification of G&T IFMIS Application and Database Access has 
Not Been Performed 




FEMA-IT-10-15 


FEMA-IT-09-59 


System Programmers Have the Ability to Migrate Code into the 
G&T IFMIS Production Environment 




FEMA-IT- 10-40 


FEMA-IT-09-60 


NFIP Legacy System C&A is Expired 




FEMA-IT- 10-24 


FEMA-IT-09-61 


G&T IFMIS Certification & Accreditation has Not Been Performed 




FEMA-IT- 10- 16 


FEMA-IT-09-62 


VPN Remote Access is Not Appropriately Authorized or Monitored 




FEMA-IT- 10-25 


FEMA-IT-09-63 


External Connections to the FEMA VPN are Not Appropriately 
Authorized or Documented 




FEMA-IT-10-50 
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Disposition 


NFR No. 


Dpscrintinn 


Closed 


i v V- |J V- *■ i- 


r bMA-1 1 -09-64 


Core IFMIS Oracle Database is Not Configured to Prevent the Reuse 
of Passwords 




FEMA-IT- 10-07 


T7T}\/TA TT no 


G&T IFMIS Access Authorizations are Not Consistently 
Documented 




FEMA-IT-10-12 


T7T}\/TA TT HQ 
rrUVlA-ll -Uy-oo 


NEMIS Oracle Database is Not Configured to Enforce DHS 
Password Requirements 




FEMA-IT- 10-06 


T7T7A/TA TT HO 6.H 

rtMA-11 -Uy-o / 


End-User Workstation Screensaver Configuration is Not Sufficient 




T7T7A/TA TT 1 fl f\1 
r HMA-1 1 - 1 U-U J 


T7T7A/TA TT AG £0 

rtMA-11 -Uy-oo 


PARS Has Not Been Certified and Accredited 




T7T7A/TA TT 1 fl ICi 

riiMA-11 -lU-zy 


T7T7A/TA TT AG £G 


Transaction Recording and Reporting Processing TRRP 
Configuration Management Plan Weaknesses 




FEMA-IT-10-59 


FEMA-IT-09-70 


Traverse and the NFIP LAN Configuration Patch Management 
Weaknesses 




FEMA-IT- 10-23 


FEMA-IT-09-71 


Physical Security and Security Awareness Issues Were Identified 
During Enhanced Security Testing 




FEMA-IT- 10-3 8 


T7TTA X A TT AA Tl 

rEMA-11 -09-72 


Exception Request over IFMIS Audit Logging is Inconsistent with 
Existing Controls 


X 




FEMA-IT-09-73 


Core and G&T IFMIS System Software Administrator Activity is 
Not Appropriately Monitored 




FEMA-IT- 10-44 


T7TTA Jf A TT H A 

rhMA-ll-(J9-74 


The FEMA Systems Inventory is Incomplete 


A 




FEMA-IT-09-75 


Requirements for Recertification of Access to the NFIP Data Center 


X 




FEMA-IT-09-76 


Emergency and Temporary Access to the Core IFMIS Database is 
Not Properly Authorized and Conflicts with Segregation of Duties 
Principles 




T7TTA X A TT 1A OA 

rEMA-11 -10-30 


FEMA-IT-09-77 


FEMA and NFIP Planning, Management and Communication 
Related to Financial Systems Development and Acquisition Projects 
Needs to be Improved 




FEMA-IT- 
FEMA-IT- 10-47 


FEMA-IT-09-78 


Weaknesses Exist in the NEMIS Configuration Management Process 
under the Enterprise Applications Development Integration and 
Sustainment (EADIS) contract 




TTT7A/T A TT 1 O AO 


T7T7A./T A TT HQ 7Q 


Weaknesses Exist over Management of FEMA LAN Accounts 




TTT7A/T A TT 1 H 00 
r rUVLA-1 1-1 U-ZZ 


T7T7A./T A TT HQ CO 


Vulnerability Assessments of the NFIP LAN is Inadequate 




TTT7A/T A TT 1 O ^0 


TTT7A/TA TT HQ C1 
r J^1VlA_-1 1 -Uy-o 1 


Improvements are Needed in Core and G&T IFMIS Internal 
Scanning Procedures and Processes 




FEMA-IT-10-34 


TTT7A/TA TT HQ CO 


Core and G&T IFMIS Patch Management Weaknesses 




TTT7A/T A TT 1 H 11 
r rUVlA-1 1-1 U- jZ 


TTT7A/TA TT HQ CI 


EADIS NEMIS Access Restrictions to Program Directories Needs 

ImnrnupinPTit 

1111171 \J V V_ 11 1*_ 11 1 




FEMA-IT- 10-51 


FEMA-IT-09-84 


PARS Database Security Controls are Not Appropriately Established 




FEMA-IT- 10-05 


FEMA-IT-09-85 


TRRP Password Configurations Have Not Been Configured in 
Accordance with DHS Policy 


X 




FEMA-IT-09-86 


Weaknesses Exist over the Implementation of Traverse System 
Changes 




FEMA-IT- 10-60 


FEMA-IT-09-87 


Weaknesses Exist in FEMA's Incident Response Program 




FEMA-IT- 10-31 


FEMA-IT-09-88 


Weaknesses Exist over Access Authorizations for TRRP 




FEMA-IT- 10-53 


FEMA-IT-09-89 


Weaknesses Exist over FEMA Background Investigations for 
Federal Employees and Contractors 




FEMA-IT- 10-45 


FEMA-IT-09-90 


FEMA LAN Certification and Accreditation Package is not Adequate 




FEMA-IT-10-28 


FEMA-IT-09-91 


FEMA Contractor Tracking Program is Inadequate 




FEMA-IT- 10- 10 
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L\S, Department of Homeland Security 

Washington. DC. 20472 




FEMA 



MEMORANDUM FOR: 



THROUGH: 



FROM: 



Frank Deffer 

Assistant Inspector General 
Information Technology Audits 

n / n 

Brad Shcfka l^JjWuvL 
Chief, FEMAjDAO/OlG Liai 

Jean A. Ktzel \t t 3 ) t ' y: 
Chief Information Officer/Director 1 
Office of thC/Chief Information Officer 




SUBJECT: Response to Draft Audit Report — Information Technology Management 

Letter for the Federal Emergency Management Agency Component of the 
FY 2010 DHS Financial Statement Audit - For Official Use Only OIG 
Project No.: 1 1 -002-ITA-FEMA dated February 201 1 



The Federal Emergency Management Agency (FEMA) appreciates the Department of Homeland Security 
(DHS) Office of the Inspector General providing fCPMG's evaluation of FBMA's information technology 
(IT) general controls and their recommendations for improving FEMA's financial processing environment 
and related IT infrastructure. The evaluation has been very helpful in identifying areas requiring 
improvement and prioritizing work to implement their recommendations. 

Generally FEMA concurs with the auditor's recommendations in the report referenced above. The Chief 
Information Officer (CIO) is resolute in directing these audit recommendations be effectively implemented in 
a timely manner. Weekly, FEMA's Audit Remediation Team meets with the Action Officers to review the 
status of implementing these recommendations and address issues that are impeding progress. Branch Chiefs 
receive weekly reports reflecting the current status of their organization's assigned actions and are working 
diligently to correct findings and implement recommendations. Implementation of corrective actions is a 
performance goal for each Branch Chief in the Office of the Chief Information Officer. 

In addition to the detailed Plan of Action and Milestones (POA&M) for each audit recommendation in the 
DHS Trusted Agent FISMA (TAP) system, FEMA has developed detailed remediation work plans to ensure 
root causes are addressed. Remediation work plan status is discussed at weekly meetings with senior 
management. If you have any questions regarding the status of the planned actions, we arc available to meet 
with your office, FEMA's senior leadership is committed to completing the remaining actions included in 
each of the POA&Ms at the earliest possible time. 

Ifyou have any questions, please have your staff contact Deborah Moradi, Chief, Governance and Investment 
Integration Branch, at 202-646-3154. 
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ADDITIONAL INFORMATION AND COPIES 

To obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100, 
fax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig. 



OIG HOTLINE 

To report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal 
misconduct relative to department programs or operations: 

• Call our Hotline at 1-800-323-8603; 

• Fax the complaint directly to us at (202) 254-4292; 

• Email us at DHSOIGHOTLINE@dhs.gov; or 

• Write to us at: 

DHS Office of Inspector General/MAIL STOP 2600, 
Attention: Office of Investigations - Hotline, 
245 Murray Drive, SW, Building 410, 
Washington, DC 20528. 



The OIG seeks to protect the identity of each writer and caller. 



